Drupal Multiblock 6.x-1.3 XSS Vulnerability
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mulitblock module (https://drupal.org/project/multiblock) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize block descriptions names before display.
Drupal 6.22 with Multiblock 6.x-1.3 was tested and shown to be vulnerable
User could inject arbitrary scripts into pages affecting site users. This could result attackers taking control of site user web browsers or other client side attacks.
In order to execute arbitrary script injection malicious users must have the ability to administer blocks.
Proof of concept exploit:
- Install and enable the Multiblock module
- Create a new block at ?q=admin/build/block/add, enter "<script>alert('xss');</script> for the description
- Create a new instance at ?q=admin/build/block/instances, select the block from #2 in the 'Block type' drop down
SA-CONTRIB-2012-043 - MultiBlock - Cross Site Scripting (https://drupal.org/node/1506390) recommends upgrading to MutiBlock module 6.x-1.4, 7.x-1.1 or later.